From: Pablo Galindo Salgado <Pablogsal@gmail.com>
Date: Thu, 12 Feb 2026 11:45:28 +0000 (+0000)
Subject: gh-142349: Fix refcount corruption in lazy import specialization (#144733)
X-Git-Tag: v3.15.0a7~299
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=072cd7c33627a90e9399d9d880d764407584b08e;p=thirdparty%2FPython%2Fcpython.git

gh-142349: Fix refcount corruption in lazy import specialization (#144733)

Remove spurious Py_DECREF on borrowed ref in LOAD_GLOBAL specialization

_PyDict_LookupIndexAndValue() returns a borrowed reference via
_Py_dict_lookup(), but specialize_load_global_lock_held() called
Py_DECREF(value) on it when bailing out for lazy imports. Each time
the adaptive counter fired while a lazy import was still in globals,
this stole one reference from the dict's object. With 8+ threads
racing through LOAD_GLOBAL during concurrent lazy import resolution,
enough triggers accumulated to drive the refcount to zero while the
dict and other threads still referenced the object, causing
use-after-free.
---

diff --git a/Python/specialize.c b/Python/specialize.c
index 7c02e929d47d..5ba016f83ea0 100644
--- a/Python/specialize.c
+++ b/Python/specialize.c
@@ -1321,7 +1321,6 @@ specialize_load_global_lock_held(
     }
     if (value != NULL && PyLazyImport_CheckExact(value)) {
         SPECIALIZATION_FAIL(LOAD_GLOBAL, SPEC_FAIL_ATTR_MODULE_LAZY_VALUE);
-        Py_DECREF(value);
         goto fail;
     }
     PyInterpreterState *interp = _PyInterpreterState_GET();